Data Protection Policy
4. The Principles
5. Our Procedures
6. Special Categories of Personal Data
8. Subjects Access Requests
9. Right to Erasure
10. Audits, Monitoring and Training
11. Reporting Breaches
Viberts is committed to protecting the rights & freedom of data subjects and safely & securely processing their data in accordance with our legal obligations.
We hold personal data about our employees, clients, supplies and other individuals for a variety of business purposes.
This policy sets out how we seek to protect personal data, and to ensure that our staff understand the rules governing the use of data to which they have access.
2.1 Personal Data:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.2 Special Categories of Personal Data:
Special categories of data include information about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings, and genetic and biometric information. Any use of special categories of personal data should be strictly controlled in accordance with this policy.
2.3 Data Controller:
‘Data controller’ means the natural or legal person, public authority, agency or other body which (alone or jointly with others) determines the purposes & means of the processing of personal data; where the purposes & means of such processing are determined by law. Viberts is classified as a data controller.
2.4 Supervisory Authority:
This is the national body responsible for data protection. The supervisory authority for our organisation is the Office of the Information Commissioner in Jersey.
All staff must be familiar with this policy and comply with its terms.
This policy should be read in conjunction with any other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be made available to staff before being adopted.
3.1 Who is responsible for this policy?
As our Operations Manager, Nick Miller has overall
responsibility for the implementation of this policy. You
should contact him for further information as necessary.
Viberts shall comply with the principles of data protection enumerated in the EU General Data Protection Regulation, and in the Data Protection (Jersey) Law 2018. We will make every effort possible to comply with these principles.
1. Lawful, fair and transparent
Data collection must be fair and for a legal purpose, and we must be open & transparent as to how the data will be used.
2. Limited for its purpose
Data can only be collected for a specific purpose.
3. Data minimisation
Any data collected must be necessary and not excessive for its purpose.
The data we hold must be accurate and kept up to date.
We cannot store data longer than necessary.
6. Integrity and confidentiality
The data we hold must be kept safe & secure.
5.1 Fair and lawful processing:
We must process personal data fairly & lawfully in accordance with individuals’ rights under the first principle.
This generally means that we should not process personal data unless the individual has consented to this happening.
If we cannot apply a lawful basis (explained below), our processing does not conform to the first principle and will be unlawful. Data subjects have the right to have any unlawfully processed data erased.
5.2 Lawful basis for processing data:
We must establish a lawful basis for processing data. It is your responsibility to check the lawful basis for any data you manage, and to ensure that your actions comply with this lawful basis. At least one of the following conditions must apply whenever we process personal data:
We hold recent, clear, explicit and defined consent for the data to be processed for a specific purpose.
The processing is necessary to fulfil or prepare a contract for the individual.
- Legal obligation
We have a legal obligation to process the data (excluding a contract).
- Vital interest
Processing the data is necessary to protect a person’s life or in a medical situation.
- Public function
Processing necessary to carry out a public function, a task of public interest or the function has a clear basis in law.
- Legitimate interest
The processing is necessary for our legitimate interests. This condition does not apply if there is a good reason to protect the individual’s personal data which overrides the legitimate interest.
6.1 What are special categories of personal data:
Previously known as sensitive personal data, this is data about an individual which is more sensitive and therefore requires more protection. This type of data could create more significant risks to a person’s fundamental rights & freedoms, for example by putting them at risk of unlawful discrimination. The special categories include information about an individual’s:
- ethnic origin
- trade union membership
- biometrics (where used for ID purposes)
- sexual orientation
In most cases where we process special categories of personal data we will require the data subject’s explicit consent to do this, unless exceptional circumstances apply or we are required to do so by law (e.g. to comply with legal obligations). Any such consent will need to clearly identify the relevant data, why it is being processed and to whom it will be disclosed.
If we do not have a lawful basis for processing special categories of data, that processing activity must cease.
6.2 Confidential Data
Where data does not fall into one of the above categories, consideration should still be given as to the nature of the associated information. Due care should be taken with all personal data and, in particular, with that deemed as being confidential (e.g. financial details from organizations such as Lloyds Bank).
7.1 Your responsibilities
- Fully understand your data protection obligations.
- Check that your data-processing activities comply with our policies.
- Do not use data in any unlawful way.
- Do not store data incorrectly, be careless with it or otherwise cause us to breach data protection laws or our policies.
- Comply with this policy at all times.
- Raise any concerns, notify any breaches or errors, and report anything suspicious or contradictory to this policy or our legal obligations without delay.
7.2 Accuracy and relevance
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive given the purpose for which it was obtained. We will not process personal data for any unconnected purpose, unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Individuals may ask that we correct inaccurate personal data relating to them. If you believe that information is inaccurate you should record this fact and inform the relevant parties within the firm.
7.3 Data security
You must keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, the DPO will establish what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
7.4 Storing data securely
- Confidential documents should be kept in a secure place where they cannot be accessed by unauthorised personnel.
- Printed information should be shredded when it is no longer needed.
- Data stored on CDs or memory sticks must be encrypted or password-protected and locked away securely when not in use.
- The Viberts Operations Manager must approve any use of cloud storage.
- All appropriate measures should be used to keep data secure.
7.5 Transferring data internationally
There are restrictions on the international transfer of personal data. You should understand the rules & procedures governing such transfers.
8.1 What is a subject access request?
An individual has the right to understand how their personal data is being processed, and to gain access to the data and any supplementary information.
8.2 How we deal with subject access requests (SARs)
We must provide an individual with a copy of their information free of charge. This must occur without delay and, where possible, within one month of the request. We should endeavour to provide data subjects with their information in a commonly-used electronic format.
If requests are complex or numerous, deadlines can be extended to three months, but the individual must be informed within one month. You must obtain approval before extending the deadline.
We can refuse to respond to certain requests and can, where the request is manifestly unfounded or excessive, charge a fee. If a large quantity of data is requested, we can ask the individual to specify the particular information they require. This can only be done with express permission.
To initiate a response to a SAR, please contact the individual identified above in ‘Who is responsible for this policy?’.
8.3 Data portability requests
We must provide the data requested in a structured, commonly-used & machine-readable format. This would normally be a CSV file, although other formats are acceptable. We must provide this data to the individual who has requested it, or to a nominated data controller. This must be done free of charge and without delay. (See
9.1 What is the right to erasure?
An individual has the right to have their data erased and for processing to cease in the following circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected and/or processed.
- Where consent is withdrawn.
- Where the individual objects to processing and there is no overriding legitimate interest for continuing the processing.
- Where the data has been unlawfully processed or data protection laws have otherwise been breached.
- To comply with a legal obligation.
- Where the processing relates to a child.
9.2 How we deal with the right to erasure
We can only refuse to comply with a right to erasure in the following circumstances:
- To exercise the right of freedom of expression & information.
- To comply with a legal obligation for the performance of a public-interest task or exercise of official authority.
- For public health purposes in the public interest.
- For archiving purposes in the public interest, scientific research, historical research or statistical purposes.
- To exercise or defend against legal claims.
- If personal data has been passed on to other recipients, those parties must be contacted and informed of their obligation to erase the data. Also, if requested, we must inform the data subject as to the identity of any other parties with whom information has been shared.
9.3 The right to object
Individuals have the right to object to their data being
used, on grounds relating to their particular situation. We
must cease processing unless:
- We have legitimate grounds, overriding the interests & rights of the individual.
- The processing relates to the exercise or defence of a legal claim We must always inform the individual of their right to object at the first point of communication, e.g. in Viberts’ privacy notice.
10.1 Data audits
Regular data audits (to manage & mitigate risks) will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
This data protection policy must be observed by all staff. We will keep the policy under review, and amend it as required. Any policy breaches must be reported.
You will receive data protection training specific to your role. You must complete all training as requested. If you change role or responsibilities, you are responsible for requesting new data protection training relevant to your new role or responsibilities.
Any breach of this policy, or of data protection laws, must be reported as soon as you have become aware of the breach. Viberts has a legal obligation to report any data breaches to the Office of the Information Commissioner.
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
- Investigate the failure and take remedial steps if necessary.
- Maintain a register of compliance failures.
- Notify the Information Commissioner of any material compliance failures.
Any member of staff who fails to report a breach, or has known or suspected that a breach has occurred (but has not followed the correct reporting procedures), will be liable to disciplinary action.
11.1 Failure to comply
We take compliance with this policy very seriously. Failure to comply puts both you and the firm at risk, and may lead to disciplinary action.
If you have any questions or concerns about anything in this policy, please do not hesitate to contact the relevant individuals.